Business Continuity Management (BCM) Applied to Transpetro ... · Reference Requirements: ( ABNT NBR-15999) [5]. Document elaborated: Methodology and guidelines for the implementation

Procedia Computer Science 55 ( 2015 ) 431 – 440

Available online at www.sciencedirect.com

1877-0509 © 2015 Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).Peer-review under responsibility of the Organizing Committee of ITQM 2015doi: 10.1016/j.procs.2015.07.099

ScienceDirect

Information Technology and Quantitative Management (ITQM 2015)

Business Continuity Management (BCM) Applied to Transpetro’s National

Operational Control Center - CNCO

Dilmar de Castro Alves , Marcio Manhães Gomes de Almeida ’*

Transpetro s National Operational Control Center, Av Pres. Vargas 328, 20091-060, Rio de Janeiro, Brazil

Abstract

TRANSPETRO (Petrobras Transporte S.A.) undertakes oil, products, ethanol, biofuels, and natural gas pipeline transportation and storage activities. It is in charge of more than 14,000 kilometers of pipelines - among oil and gas pipelines - which interconnect all Brazilian regions and supply the country's most remote points. Currently, TRANSPETRO, through its National Operational Control Center (CNCO), undertakes the operations and monitoring of more than 91% of liquid transportation pipelines and distribution lines and 100% of natural gas pipelines for the Brazilian state company, PETROBRAS, and private companies. The centralization of TRANSPETRO’s pipelines and terminals operations, started by 2002 with the creation of its Control Center, which uses SCADA technology, changed substantially the way the company operates its pipelines. This decision required a very large cultural change and breaking of paradigms. In addition to requirements for better operational reliability, which involves SCADA Technology and its supporting infrastructure (Electric, Air-conditioning, Fire Detection and Extinguishing, etc), it were also introduced reliability requirements in processes management of the operation and human reliability. In this context, the CNCO is part of the triad of Reliability, covering the segments of the operational, technological and human process. Considering this context, the present work will describe the Program for Business Continuity Management (BCM), which is now being implemented in TRANSPETRO. Methodology and guidelines established for Managing Business Continuity and Incident Response (Crisis Management), focusing on CNCO, using as a 'benchmark' the BSI 2231-3 [1]. As a result of the BCM program on the CNCO, will be presented some evidence such as: the benefits arising from the implementation of the Business Impact Analysis (BIA); Qualitative Risk Assessment, based at the FRAAP methodology and a sample of the system used to evaluate the level of maturity (stages) of the implementation of the program, considering as benchmark BSI-2231-3 (BSI PAS 56) Examples of the various documents that make up the BCM will be showed. It will also be presented, a summary of the SCADA architecture, and, as an example, the process of assessing the level of maturity of the model Maintenance Management and Administration applied to SCADA Technology, based on heuristic model, developed by professionals responsible for SCADA, as one of the solutions that can be used, among others, to ensure business continuity.

© 2015 The Authors. Published by Elsevier B.V. Selection and/or peer-review under responsibility of the organizers of ITQM 2015

Keywords: CNCO; BCM; SCADA

*Marcio Manhães Gomes de Almeida. Tel.: +55 21 3211-9051 E-mail address:

© 2015 Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).Peer-review under responsibility of the Organizing Committee of ITQM 2015

http://crossmark.crossref.org/dialog/?doi=10.1016/j.procs.2015.07.099&domain=pdf

http://crossmark.crossref.org/dialog/?doi=10.1016/j.procs.2015.07.099&domain=pdf

432 Dilmar de Castro Alves and Marcio Manhães Gomes de Almeida / Procedia Computer Science 55 ( 2015 ) 431 – 440

1. Introduction

1.1 Objective of this work

Specify requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continuous improvement of a BCMS - Business Continuity Management System - documented within the risk management context, focusing on TRANSPETRO´s National Operational Control Center (CNCO), developing its resilience, in other words, ‘The ability of recognizing and being capable of handling unexpected events, that impose the review of whatever has been conceived and established in terms of values and demands in terms of all management processes, strategies and policies that have been in use.’(Woods, 2005[2]; Hollnagel, 2004) [3].

Figure 1. Partial view of TRANSPETRO´S National Operational Control Center - CNCO

2. The Scada Technology

The CNCO uses its Supervisory Control and Data Acquisition System (SCADA) to control and monitor the pipeline operations of the company. This system controls the huge majority of terminals, pumping and compressors stations and pipelines (oil and natural gas) operated by the company. They are tasks of CNCO: start and stop pumps and compressors, open and close valves, control over output and input volumes in the several operational areas, and keep the operational variables within of expected process limits. Figure 2 shows the architecture of CNCO SCADA system.


Figure 2. TRANSPETRO´S Scada System Architecture

3. The BCM program

3.1. Definition of BCM system

‘Holistic management process that identifies potential threats to the organization and the impacts to business operations, that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities’ (BS 25999-2006) [4]

3.2. Incident Response Plan Overview

This incident management plan establishes the recommended organization, actions, and procedures needed to:

� Recognize and respond to an incident; � Assess the situation quickly and effectively; � Notify the appropriate individuals and organizations about the incident; � Organize the CNCO’s response activities, including activating a command center; � Escalate the company’s response efforts based on the severity of the incident; and � Support the business recovery efforts being made in the aftermath of the incident.

3.3. Stages of implementation

Reference Requirements: ( ABNT NBR-15999) [5]. Document elaborated: Methodology and guidelines for the implementation of BCM – Reference:

BCM Workbook - Business Continuity Management and Risk Management and Crisis [9] Document Elaborated: Manual for Business Continuity Managing and Response Incident, with the

following structure:

TRANSPETRO´S SCADA SYSTEM - ARCHITECTURE

EDISE

EDIHB

TRANSPETROCNCO - Head Office (RIO DE JANEIRO)

RTU

SENSOR / EQUIPMENTS

Automation Block

ÓLEO-2

PLC

MagnewHoneywell

StonerSCADA Oil Pipeline

Oil Workstations

GAS – BOil - A

GAS – AOil - B

SERVERs – FEP1 e 2CMX1 e CMX2 / XIS1 e XIS2

TRANSPETROCNCO - Backup -

CAMPOS ELISEOSD. De Caxias - Rj

GAS – BOil - A

GAS – AOil - B

HUB - C Campinas SP

HUB backup B_KU C. Elíseos RJ

HUB – B_KuEdise RJ

VSAT- Ku or C Band

SATELLITE - BRASILSAT OR AMAZONAS

Stoner

LEGEND:______ = Physical Link--------- = Logical Link

IPS – INTRUSION PREVENTION SYSTEMMPLS – MULTI PROTOCOL LAYER SWITCHINGVSAT – VERY SMALL APERTURE TERMINALRTU – REMOTE TERMINAL UNITPLC – PROGRAMMABLE LOGIC CONTOLLER

EDITA

IPS IPS

ARQUITETURA SISTEMA

HARDWARE: RISC IBM P550 E P6O.S. – UNIX/AIX v. 5.3 LDATABASE – SYBASE v.15SCADA SOFTWARE – OASYS 6.3UXPROTOCOL: MODBUS/RTU/SAT

IntegratedCorporative Network

10101101

Vsat Network

SCADA Natural Gas Pipeline SCADA Oil Pipeline SCADA Natural Gas Pipeline

Gas Workstations SERVERs – FEP1 e 2CMX1 e CMX2 / XIS1 e XIS2

Oil Workstations SERVERs – FEP1 e 2CMX1 e CMX2 / XIS1 e XIS2

Gas Workstations SERVERs – FEP1 e 2CMX1 e CMX2 / XIS1 e XIS2

PETROBRASHead Office (RIO

DE JANEIRO)

PETROBRASOffices (RIO DE

JANEIRO)


Section 1 – Plan Body (overview, scope, scenarios, recovery objectives, assumptions, etc) Section 2 – Incident Response and Management (committee manager, definition of teams and

definition of responsibilities and checklist of tasks, etc) Section 3 - Notification and Disaster Declaration (Notification Process Overview, CNCO

Team Notification and Notification of Internal and External Client, Vendor and Business Partner. Activating a Crisis Operations Center, etc)

Section 4 - List of Contacts, Checklists for Response and Actions to incidents Section 5 - Checklist for response and Specific Actions to Incidents Section 6 - Exercising, Maintaining and Auditing BCM (Training and awareness, Exercising

BCM, Maintenance Program BCM and Audit) Section 7 - Incident Management Forms Section 8 – Attachments, References, Norms and Standards

Identification of processes and / or activities that support key products and services (MCAs – Mission Critical Activities) Development and implementation of BIA Questionnaire (Business Impact Analysis), to evaluate the

impacts that may result in the cessation of each activity or function of the key processes (MCAs – Mission Critical Activities) Quantitative Risk Assessment carried out using the methodology FRAAP [7] – Facilited Risk

Analysis and Assessment process Established for each MCA (Mission Critical Activities), maximum periods of stopped or recovery

time objective (RTO) Categorization of each MCA, according to a priority established for recovery Identification of relevant dependencies and support resources for prioritized activities, including

suppliers, partners and other relevant stakeholders (internal Customer x External Client) To suppliers and external / internal partners, with MCAs related to CNCO, it was determined the

response readiness and strategies for maintaining continuity of CNCO Estimate resources that each MCAs will requires for their recovery. Development of Recovery Specific Plans, according to the scenarios raised in the BIA

3.4. Samples of some stages of work developed for the implementation of BCM in CNCO

Figure. 3 - BIA x Risk Assessment using Facilitated Risk Analysis and Assessment Process – FRAAP [7].

Magnitude of

ImpactCNCO IMPACT ASSESSMENT x SCENARIO

Catastrophic (C) (C) - Disruption of Centralized Operation (CNCO Headquarters and Backup)

High (A1) (A1) - Disruption of Centralized Operation (CNCO Headquarters)

High (A2) (A2) - Disruption of Centralized Operation (CNCO Backup)

High (A3) (A3) - Disruption of Oil Scada System (CNCO Headquarters or Backup)

High (A4) (A4) - Disruption of Gas Scada System (CNCO Headquarters or Backup)

High (A5) (A5) - Degraded Operation with possible support of operational area

Medium (M1)(M1) - Work overload of technical staff and / or the Operating due to insufficient

qualified staff for the shift changeover and / or support Scada and systems related.

Medium (M2) (M2) - Degraded operation of Oil SCADA (Headquarters or Backup).

Medium (M3) (M3) - Degraded operation of Gas SCADA Headquarters or Backup.

Medium (M4)(M4) - Impairment of voice communication flow with operating areas and related

activities.

Medium (M5)(M5) - Impairment to integrate new projects or migration Pipelines or equipments

to CNCO; in the training process (operators and technicians) and Maintenance and Administration activity of the Scada System

Low (B1)(B1) - Disruption in automatic integration of the information from SCADA system to corporate systems and / or administrative (BDEMQ; SAG/LOGUM; SAG; PIM;

etc)

Low (B2)(B2) - Disruption of access to Corporate Systems (Programming; BDEMQ; SAP;

PIMS; SINPEP; RTAs; NOTES, Rope; etc)

Low (B3)(B3) - Disruption in access to IT tools for analysis of the operational process and /

or simulations, for operation

Low (B4) (B4) - Operation in contingency for Alternative Energy System.

Insignificant (I) (I) - It was not associated scenario for this impact.

Almost Certain Catastrophic

Probable High

Possible Medium

Rare Low

Improbable Insignificant

Insignificant Low Medium High Catastrophic

RISK MATRIX FOR MISSION CRITICAL ACTIVITIES - CNCO

IMPACT x PROBABILITY = RISK

P R

O B

A B

I L

I T

Y

Magnitude of Impact


Figure 4. Annex X – FRAAP Risk Assessment – CNCO Annex X - FRAAP RISK Assessment Methodology adapted

SCENARIO x PROCESS

BCM RESPONSIBLETHREAT (Event) PROBABILITY (P)

IMPACT(I)

RISk= P x I

1. Mobility, Integrity and acess of key people and integrity of the physical Installation and/or infraestructure Building related to CNCO

1.1. Mobility and access to key people CNCO - insufficiency of qualified effective (Item 1.5.1 of PCNRI)

BCM Responsible - OPERATING TEAM Natural Threat

1.1.1 - Storm, Great Flood (M1) Probable M1 *

1.1.2 - Strong Winds (M1) Probable M1 *

1.1.3 - Earthquake ( A1 e A2 ) Improbable C A1 e A2

1.1.4 - Tsunami ( A1 e A2 ) Improbable C A1 e A2

BCM Responsible - OPERATING TEAM Civil Disorder

1.1.5 - General Strike (M1) Probable M1 *

1.1.6 - Agglomeration and mobilizing marches (M1) Probable M1 *

1.1.7 - Try invasion in CNCO Headquarters or Backup dependencies (A1 ou A2)

Possible A1 ou A2 A1 ou A2

1.2. Integrity and access to Installations - Buildings; Equipment Rooms, Control Center and other rooms related to CNCO - (Item 1.5.1 of PCNRI)

Sinister

BCM Responsible - EGI, Scada and Operating Team1.2.1 - External Fire in the proximity of CNCO (M1) Possible M1 *

1.2.2 - Fire in external facilities or infrastructure affecting operations at CNCO (Telecom Sites) (A1 or A2)

Possible A1 ou A2 *

1.2.3 - Fire in internal facilities or in infrastructure affecting operations at CNCO (Equipment and Control Center Room) (A1 or A2)

Possible A1 ou A2

1.2.4 - Gas Leak (A1 ou A2) Possible A1 ou A2

1.2.5 - Destruction of the building infrastructure of CNCO (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2

1.2.6 - Flooding in SCADA Equipment Rooms, Telecommunications and utilities systems (Electrical Systems, Cooling, Fire and Videowall) (A1 or A2)

Possible A1 ou A2

Actions of third parties

1.2.7 - Terrorism (I) Improbable Insignificante I

1.2.8 - Sabotage - Personnel unauthorized access in equipment and systems rooms (A1 ou A2)

Possible A1 ou A2 *

2. People Integrity, effective and Human Reliability (Item 1.5.2 of PCNRI)

BCM Responsible - CCO, CCG e SCADA Team2.1 - Accident with absence Operators groups and / or SCADA Technical (M1)

Possible M1 *

2.2 - Epidemics or Outbreak disease (M1) Possible M1 *

2.3 - syndicate strike, Work Action (M1)Probable M1 *

2.4 - Lack of replacement staff trained in business in key processes (MCAs) of operation and Scada (M1)

Possible M1 *

2.5 - Human Behavioral failure (fatigue, work overload, stress, ambience, etc.) (A5)

Possible A5

2.6 - Procedural failure (related to training, Information x Knowledge) (A5)

Possible A5

3. Communication / Telecommunication System (Item 1.5.3 of PCNRI)

BCM Responsible - TIC_PB and SCADA Team3.1 - Critical fault or total loss of WAN Automation Network (Integrated Corporative Network x Vsat) (A1 and A2)

Rare C A1 e A2

3.2 - Critical Failure or loss of Integrated Corporate Network (Automation Network) (A3)

Possible A3 *

3.3 - Critical fault or loss of Vsat Satellite Network (Automation Network) (M2 and M3

Possible M2 e M3 *

3.4 - Critical fault or loss of fixed telephony system or extension (M4) Possible M4 *

3.5 - Critical fault or loss of access to intranet (corporate applications) (B1 and B2)

Possible B1 e B2 *

3.6 - Critical fault or loss of the operation service of Telecommunication Network - CORS) (A1 and A2)

Rare C A1 e A2

3.7 - Critical fault or loss of Automation Integrated Corporate Network for upgrade or changes in the telecommunications system (A5)

Possible A5

3.8 - Critical fault or loss of fixed telphony System or extension for upgrade or modification to the system (M4)

Possible M4

4. Automation / SCADA Technology - AT (Item 1.5.4 of PCNRI) THREAT (Event) PROBABILITY (P)

IMPACT(I)

RISk = P x I

BCM Responsible - SCADA Team4.1 - Critical fault or total loss of the functions of Oil and Gas SCADA System of CNCO Headquarters and CNCO Backup (A1 and A2)

Rare C A1 e A2

4.2 - Critical fault or total loss of the functions of Oil and Gas SCADA System of CNCO Headquarters or CNCO Backup (A3 or A4)

Possible A3 ou A4

4.3 - Critical fault or total loss of CMX1 / XIS2 Scada Oil Server (Headquarters or Backup) (M2)

Possible M2 *

4.4 - Critical fault or total loss of CMX2 / XIS1 Scada Oil Server (Headquarters or Backup) (M2)

Possible M2 *

4.5 - Critical fault or total loss of CMX1 / XIS1 Scada Gas Server (Headquarters or Backup) (M3)

Possible M3 *

4.6 - Critical fault or total loss of CMX2 / XIS2 Scada Gas Server (Headquarters or Backup) (M3)

Possible M3 *

4.7 - Critical fault or loss of the Oil Engineering Server (Headquarters or Backup) (M2)

Possible M2

4.8 - Critical fault or loss of the Gas Engineering Server (Headquarters or Backup) (M3)

Possible M3

4.9 - Critical fault or total loss of Human Machine Interface Servers of the Oil SCADA System (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2

4.10 - Critical fault or total loss of Human Machine Interface Servers of the Gas SCADA System (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2

4.11 - Loss of Oil Operations Workstation (Headquarters or Backup) (M2) Possible M2 *

4.12 - Loss of Gas Operations Workstation (Headquarters or Backup) (M3) Possible M3 *

4:13 - Critical fault or total loss Oil and Gas Application Servers CNCO Headquarters or CNCO Backup (B1 and B3)

Possible B1 e B3

4:14 - Critical fault or total loss of Oil or Gas Database Servers CNCO Headquarters or CNCO Backup (B1 and B3)

Possible B1 e B3

4:15 - Critical fault or total loss "Gestor" application System (Headquarters or Backup) (M2)

Possible M2

4:16 - Critical fault or total loss of Oil and Gas Front-End Processor Servers - FEP1 and FEP2 (Headquarters and Backup) (A1 and A2)

Rare C A1 e A2

4.17 - Critical fault or total loss of Oil Front-End Processor Servers - FEP1 and FEP2 (Headquarters or Backup) (A3)

Possible A3

4.18 - Critical fault or total loss of Gas Front-End Processor Servers - FEP1 and FEP2 (Headquarters or Backup) (A4)

Possible A4

4.19 - Critical fault or total loss of Oil Front-End Processor Servers - FEP1 or FEP2 (Headquarters or Backup) (M2)

Possible M2 *

4.20 - Critical fault or total loss of Gas Front-End Processor Servers - FEP1 or FEP2 (Headquarters or Backup) (M3)

Possible M3 *

4:21 - Critical Failure by Upgrade Oil SCADA System (M2) Rare M2

4.22 - Critical Failure by Upgrade Gas SCADA System (M3) Rare M3

4:23 - Loss of the SCADA Laboratory (M5) Possible M5

4:24 - SCADA System failure in the transfer process of the operations between CNCO Headquarters and CNCO Backup (A1 or A2)

Possible A1 ou A2 *

BCM Responsible - Process Eng. end CCO

4:25 - Critical Failure or loss of engineering application servers used by Process Engineering Activity (Oil and Gas) (B3)

Possible B3

4:26 - Critical fault or loss Leak Detection System (M2) Possible M2

BCM Responsible - System Analysts/Eng CCG Team

4:27 - Critical fault or loss of specific Applications Systems Servers of the Gas Activities (M3)

Possible M3

4:28 - Critical fault or total loss of IFIX Scada System (Gas Compressors) (A5)

Possible A5

5. Information Technology - IT (Item 1.5.5 of PCNRI)

BCM Responsible: GETIC and/or SCADA Team5.1 - Critical fault or loss of Data and/or Application Corporative Servers (B2)

Probable B2 *

5.2 - Critical fault or loss of Corporate PC (Windows) of the Operation workstation (B2)

Probable B2 *

5.3 - Virus (Corporate Network) (A1 or A2) Probable A1 ou A2 *

5.4 - Hacking or unauthorized access (Corporate or Automation environment) (A1 or A2)

Possible A1 ou A2

5.5 - Total loss of PCs corporate (Windows) of the CNCO Headquarters or CNCO Backup, including activities to support the operation. (A1 or A2)

Possible A1 ou A2

6. Utility Systems and / or other Equipments (Item 1.5.6 of PCNRI)

BCM Responsible: SCADA Team 6.1 - Blackout Electric System (Dealers) (C) Possible C *

6.2 - Lack of power supply of local Dealer (B5) Possible B4 *

6.3 - Critical fault or total loss of UPS(Headquarters or Backup) (A1 or A2) Possible A1 ou A2 *

6.4 - Critical fault or total loss of Electrical Panel of the CNCO infraestructure (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2

6.5 - Critical fault or total loss of Electric Power Generators (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2

6.6 - Critical fault or total loss of air-conditioning (cooling) system (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2 *

6.7 - Critical fault or total loss of FM 200 Detection System (Headquarters or Backup) (A1 or A2)

Possible A1 ou A2

6.8 - Total Loss of Telephone Recording System (Headquarters or backup) (M1)

Possible M1 *

6.9 - Lack of Videowall System (Headquarters) (B3) Possible B3 *

Other Threats

Other Threats

Other Threats

Other Threats

Other Threats

Other Threats (restricted use of information)

Other Threats

Other Threats

Other Threats

Other Threats

Other Threats

Other Threats

Other Threats

6.1 - Blackout National Electric System (Dealers) Possible B4


3.5. Management Committee of Business Continuity

Incident Management Team (Crisis) - EGI

This team assumes all responsibility for all phases of Incident Management and recovery work in CNCO; since the incident statement (disaster) to complete demobilization. EGI is composed of the following key leaders of the company and will lead the Incident Management and Recovery Plans, within their respective activities, from a Crisis Command Center, with the other teams to be formed. EGI and also responsible for managing the Program BCM.

EGI Leader EGI MembersOil Operating Manager Sr Consultant (Leader of BCM Program)

SCADA Coordinator (1º substitute)CCO Coordinator (2º substitute)

Security liaison

OPERATION (ERIOP)

This team is responsible for implementing the response and incident recovery activities, as outlined in the Incident Response Plan (PRI), developed by the Planning Team. The Leader or Substitute for this activity reports to the Planning Team Leader and determines the necessary resources and the organizational structure within the operations of Incident Response Team.

Name: Leader and Substitute

Members: See Table III

PLANNING (ERIPLAN)

This Team is responsible developing the Incident Action Plan which is used to manage the incident. They are also responsible for the collection, evaluating, dissemination, and use of information regarding the development of the incident and the status os resources.


Membrs: See Table IV

ADM/LOGISTIC (ERIAL)

This Team supports services to all incident management and Recovery Teams in CNCO and is responsible for but not limited to the following specific funnctions: point Issue costs related to CNCO; purchase; Control expended man-hour involved in the incident; Overtime; HR resources; handling and hosting staff; Interface with Security personnel and utility systems Maintenance Team


Membrs: See Table V

Adm. Manager (Condominium)liaison

GETIC (IT) liaison

Incident Recovery Executive Team

EADGIDamage Assessment

Team and Incident Management

CNCO Representatives

Leader: Sr. Consultant Members: Table II


3.6. Samples of checklist applied to the BCM Program

3.7. Samples of forms applied to the BCM Program

LV.5.1 - INITIAL INCIDENT RESPONSE CHECKLIST – EGI AND EADGIIncident occurs. During non-business hours => Cotur havind been informed of the incident that can affect the CNCO, starts the local emergency procedures and notifies the Manager of Pipeline Control Center (leader of the Incident Management Team) that following the General Procedure: PG-0TP-00088 - Contingency Management.

Both Cotur Oil and Gas, notify their respective Coordinators of the CCO and CCG, the Coordinator of the Telecommunications Operations Center and Services (CORS), the SCADA Staff and shift teams at Headquarters (SMS - Safety environment and health, Maintenance and Fire Brigade).

During normal business hours => If the information about the incident was directly to EGI Leader or substitute (Manager / Coordinator), they communicate to the Cotur, that follows the local emergency procedures. The EGI notifies the SCADA support and headquarters staff (SMS - Safety environment and health, Maintenance and Fire Brigade), If that support staff has not been notified by other authorities. If a disaster is declared, the EGI Leader ou his substitute should

1. Notifies Transpetro's high administration 2. Notifies the EADGI for inspection of the incident and activates the Crisis Operations

Center (COC) 3. Activates Business Continuity Planning and Incident Response 4. Notifies the leaders of the Executive Team Incident Recovery – ERIPLAN, ERIOP e

ERIAL 5. Launches emergency response procedure

6.2 - Critical fault or total loss of the UPS (Headquarters or Backup) (A1 or A2)

A1 - Disruption of Centralized Operation (CNCO Headquarters) or

A2 - Disruption of Centralized Operation (CNCO Backup)

6.3 - Critical fault or total loss of Electric Panel (Headquarters or Backup) (A1 or A2)



6.4 - Critical fault or total loss of Electric Power Generators (Headquarters or Backup) (A1 or A2)



Form 1 - Objectives and Strategies for Treatment or Disaster RecoveryScenario x Process - Asset: Supporting Utilities

a - systematically Audit maintenance management of the electrical system and infrastructure , in CNCO Headquarters and

Backup: apply periodically Predictive Power Quality and Thermography and carrying out performing systematic tests, through generated graphics, the parameters aquisitados by

technology; Provide resources in the annual investment plan.

b - In the directory (BCM / Design / Electrical), archive information and documents of the existing project, manuals and

technical specifications of the equipments; Description Memorial (MD) for hiring; suppliers´ information, etc., for quick use.

c - Leave prepared Minutes, to request an appreciation from the Law Department for hiring service and / or acquisitions of assets

1 - Scada and Operation Team

2 - EGI

a - Scada Team

b, c - Leader of the BCM Program and

Scada Team

d - Scada Team

1 - Transfer the Operation for CNCO Backup or Bring the Operation Headquarters, if the backup is Operational

2 - Apply BCM Planning

Leader of BCM Program7655500

4:24 - SCADA System failure in the transfer process of the operations between CNCO Headquarters and CNCO Backup (A1 or A2)



1 - Discuss and set maximum time to abort the transfer between Control Centers

2 - Move Operators group from CNCO Backup to The CNCO Headquarters or vice

versa, considering the maximum time xx minutes. Estimated average time to return xx

H: M3 - vehicles for displacement of the operators should be available to the successful transfer.

a - Discuss strategies to manage the event (Example: centralization of information disclosure for Transpetro´s top management and other

areas of interest, justifying the non-completion of the transfer process, which should be systematized in the document body: "CNCO CHECK-LIST transfer and OPERATION BY THE CNCO BACKUP STATION

# xx / year " Ex.. agree time to abort the transfer process is: xx minutes.

b - Keep the systematic to make Report (REL-SCADA # xx / year) and subsequent critical analysis of the main events during the transfer

process, to indicate possible improvements (TOR = xx days), including the causes which prevented the non-completion of the transfer.

1, 2, 3 - Oil and Gas Operation

Coordinators

a - EGIb - Oil and Gas

Operation Coordinators and

Scada Team

Leader of BCM Program7655500

Form 1 - Objectives and Strategies for Treatment or Disaster RecoveryScenario x Process - Asset: Automation/SCADA Tecnology

DateTime

Threat Type or Event(Annex X)

Impact(Annex X)

Event Location Magnitude of Event

Probable Cause "Immediate Action (aligned with Recovery Strategy -

Form 1) RTO <= 4 Hours

Complementary Actions (aligned with Recovery

Strategy - Form 1) RTO > 4 Hours

Need Evacuation

Notification of Public Agencies

Deaths or

Injured

Access the facilities

(CNCO and TIC_PB)

BCM Responsible

Information to Stakeholders (public interest)

Example 6.3 - Critical fault or total loss of UPS(Headquarters or Backup) (A1 or

A2)

A1 - Disruption of Centralized Operation (CNCO Headquarters)

UPS/"No Break" Room - CNCO Headquarters

1- Do not Declared Disaster

in analysis 1 - To transfer Operation to CNCO Backup

Hiring direct maintenance service with the

manufacturer

N N N Y Scada Leader

Informed that for operational safety the operation will only return to CNCO headquarters after total

Form 5 - Incident Report

Date andTime of Event

Threat Type or Event(Annex X)

Event Location (Rooms or shelters)

System or Equipment Condition of use or integrity (equipment and / or Critical

System)

Condition of use or integrity (Physical Installation and / or

Infrastructure Building)

Recovery Time Objectives or replacement (estimated)

RTO

BCM Assessment Team (Table II of PCNRI)

Status and (Data)

Completed by: (Name and Registration

Number)

Note relevant

Form 4 - Damage Assessment of Equipment or Critical Systems, Physical Installations and Infrastructure

Example 6.4 - Critical fault or total loss of Electrical Panel of the CNCO

infraestructure (Headquarters or Backup) (A1 or A2)

UPS/"No Break" Room - CNCO Headquarters QFNB-1 - General Electrical

Panel - "No Break-1" - Sl No Break - Underground

2 - damaged but usable, requires little maintenance

(maintenance cost <10% of the replacement price)

1 - No damage 1 week Scada Team in progress Scada Leader hire service

LV.5.2.1 - LIST OF TASKS OF DAMAGE ASSESSMENT TEAM AND INCIDENTMANAGEMENT - EADGI

Gather information about the incident from first-hand contact; with rescuers or duty personnel (fire brigade, maintenance, SMS, etc.), and other employees. Relays information to the Incident Management Team (EGI). (use Form 5)Through the SMS representative, guide security actions to guarantee the physical integrity of the staff and other personnel involved in the event, as appropriate. Make an initial assessment of the incident´s likely impact on the local operations activities, as defined in the BIA and Annex X.

Establish and maintain communication with the Crisis Operations Center (COC), led by EGI. Provide conclusive data to the disaster declaration process (Forms 4 and 5). Provide report on the activities, post-event, following the model to be defined in Incident Recovery Planning process. (Use Forms 1, 4 and 5)


3.8. Business Continuity Management System (BCMS)

Assure the effectiveness of the implementation and maintenance of the CNCO BCM program, a system to assess the management of BCM program. The Benchmark British Standards Institute's Good Practice Guide to Business Continuity Management (PAS 56) [6] and BS ISO 22313 [1] will be used as a baseline to assess the program. The Business Continuity Institute PAS 56 Audit Workbook enables organizations to undertake a self assessment benchmark against the British Standards Institute's Good Practice Guide to Business Continuity Management (PAS 56). The workbook consists of a menu of questions (benchmark comparators) and a good practice compliance aggregation dashboard. The benchmark comparators (both Process and Performance) are founded upon the BCI BCM Good Practice Guidelines Evaluation Criteria. The workbook consists of six scorecards (in addition to the introduction and user guidelines and instructions) that reflect the BCM lifecycle. The questions and good practice compliance dashboard contained within each stage of the lifecycle enable the assessor to establish if an organization is using BCM good practice.The workbook provides both a Good Practice Guidelines Process benchmark and a Performance benchmark within each of the six scorecards. All questions within the workbook must be answered and achieve the ‘green’ percentage level of compliance to achieve the BCI PAS 56 BCM Good Practice (Process and Performance) Audit Benchmark. The workbook will quickly establish the maturity of an organization’s BCM competence and capability. The BCM maturity of an organization has a direct bearing on the ability to complete a part or the whole of the workbook. The workbook also provides a mechanism and process to monitor, track and progress Business Continuity and Crisis Management issues and actions identified by the assessment process. The workbook has six (6) objectives:

1. To provide a BCM enabling benchmark tool. 2. To enable CNCO to evaluate its current BCM competence and capability against the BSI PAS 56 BCM good practice evaluation benchmark (process and performance) criteria. 3. The Provision of a consistent good practice benchmark (process and performance) and process to assess the maturity of CNCO's BCM competence and capability. 4. To enable and inform the creation of CNCO's BCM management information dashboard of Key Performance Indicators (KPI's). 5. The identification of gaps and hot spots in CNCO's BCM competence and capability. 6. To clearly demonstrate and provide evidence that the CNCO is discharging its risk, legal, regulatory and corporate governance accountability and responsibilities.

Figure 5. PAS 56 Components Radar Chart - Business Continuity Management System (BCMS) - CNCO


Figure 6. Sample of The Business Continuity Institute PAS 56 Audit Workbook

4. Requirements identified by BCM Application in CNCO

The development of the CNCO BCM program identified the following improvements that were already concluded or are in a development process.

Applying a heuristic model for the evaluation of CNCO infrastructure maintenance management to attend the needs of centralized operation using the SCADA technology. Consolidation of the use of the concept of “Autonomic Management” and the development of SAG tool for

monitoring "On Line", the infrastructure of SCADA and Telecommunication System. For the operation, to better assess the operational and procedural reliability, a benchmark study was made in

2014 to assess workload (references: Pipeline American Companies). It was identified the need to review some executive processes (Ex. Pass Shift). It has been suggested to use references from NASA methodology / TLX (Task Load Index) and PHMSA regulatory body (Pipeline and Hazardous Materials Safety Administration) to mitigate fatigue in Control Centers. It was also suggested to improve the alarm management program and to conduct a study of human reliability. Identification of priorities for risk analysis of telecommunication processes (Customer Flow development for

Telecom services and formalization of Service Level Agreement - SLA). Develop improvement as protection against unauthorized access (hacking) and viruses (in progress). Perform critical analysis systematically to improve the transfer process of “hot” operation between CNCO

headquarters in the center of Rio de Janeiro and CNCO Backup in Campos Eliseos. Effort to improve the management process of the SCADA System Maintenance: Heuristic model application

for evaluation of this management (see figure 7 below).

5. Maintenance Management Process of CNCO Scada System and Infrastructure.

A Maturity Model to assess the Maintenance and Administration Management Process of SCADA Technology and physical and auxiliary infrastructure that makes up the CNCO [8] has been implemented.

The figure 7 shows the graphic and the metrics of each part of the Scada System and its infrastructure:

Benchmark - BS ISO 2231-3 - Business Continuity Management Systems — GuidanceEstage One - BCM PROGRAMME MANAGEMENT.

TRANSPETRO - CNCO - CENTRO NACIONAL DE CONTROLE OPERACIONAL

NO

(0%

)

20%

40%

60%

80%

90%

YE

S (

100%

)

N/A SUMMARY OF REMEDIAL ACTION PLANS OWNER

CO

MP

LE

TIO

N

DA

TE

BCM Management

COMMENTS/EVIDENCESUGGESTED AREAS FOR

REVIEW

REMEDIAL ACTION PLANS

TO

TA

L N

O.

OF

R

ET

UR

NS

ANSWERS

AV

ER

AG

E S

CO

RE

QU

ES

TIO

N W

EIG

HT

WE

IGH

TE

D S

CO

RE

COMPLIANCELIFE

CYCLESTAGE

NO

. O

F Q

UE

ST

ION

S

QU

ES

TIO

N N

O.

QUESTIONS

12 1,1

Does the CNCO have a clearly defined, documented and approved management process to manage its BCM programme? 1 1 100 0,08 8 100

1,2Does the CNCO use the BSI PAS 56 as an integral part of its BCM programme? 1 1 100 0,08 8 100

Each Stage SectionAggregate Dashboard.

Each Stage SectionAggregate Dashboard.

1 1 BCM Programme Management 12 1 0 0 0 0 1 7 3 88 1,00 88 88

1 2 BCM Policy 7 0 0 0 0 0 0 6 1 100 1,00 100 100

1 3 BCM Assurance 5 0 0 0 0 0 1 3 1 98 1,00 98 98

Stage Aggregate Dashboard.

1 BCM Programme Management 12 1 0 0 0 0 1 7 3 88 0,33 29

2 BCM Policy 7 0 0 0 0 0 0 6 1 100 0,33 33

3BCM Assurance

5 0 0 0 0 0 1 3 1 98 0,33 33

3 95


Figure 7. The results of support infrastructure of CNCO SCADA system evaluation.

6. Conclusion

Through the BCMS, the organizational structure of CNCO can recognize what needs to be done before an incident occurs, and if it occurs, systematize how to treat and manage the incident, in order to protect people, business, technology, information, its supply chain, stakeholders and the company reputation. From this recognition, the organizational structure of CNCO may have a realistic view of the responses that could be implemented in the event of interruptions of its MCAs, with the BCM program the organization can be confident that will manage any of the consequences, within the scenarios raised without unnecessary delays in the delivery of its products and services.

References [1] BS ISO 22313:2012 – ‘Societal security —Business continuity management systems - Guidance’, 2012 [2]Woods, D., ‘TITLE”, EDITORA, LOCAL, 2005[3]Hollnagel, E., ‘TÍTULO DO LIVRO’, EDITORA, LOCAL, 2004 [4] BS 25999-1:2006 – ‘Code of Practice for Business Continuity Management’, United Kingdom, 2006 [5] ABNT NBR 15999- ‘Gestão de continuidade de negócios - Parte 1: Código de prática’, ABNT, Rio de Janeiro, Rj, Brazil, 2008 [6] PAS 56:2003 – ‘Guide to Business Continuity Management’, BSI e Business Continuity Institute, UK, 2003 [7] Peltier, Thomas R., ‘Information Security Risk Analysis’, CRC Press Taylor & Francis Group,USA,2005 [8] Santos, R. S.; Alves, D., ‘A Model to Evaluate the Support Infrastructure of TRANSPETRO National Operational Control Center Scada

System’, Anais da Rio Pipeline Conference 2011, Rio de Janeiro, RJ, Brazil, 2011 [9] Faertes, D., ‘ BCM Workbook’, Risk Assessment and Management Post Graduation Course- Federal University of Rio de Janeiro (

UFRJ), Rio de Janeiro, Brazil, 2010

4 - Optimized

3 - Managed

2 - Well Structured

1 - Organized

0 - Informal

Continuous improvement and refinement of processes

Consistent indicators and good. Targets and plans based on data. Integrated and aligned processes

Standardized procedures. Some degree of control.

Beginning use of indicators

Main processes defined

Insufficient knowledge of the process

Business Continuity Management (BCM) Applied to Transpetro ... · Reference Requirements: ( ABNT NBR-15999) [5]. Document elaborated: Methodology and guidelines for the implementation

Documents